1. Enterprise Risk Management
NYSICA
May 10, 2018

2. Agenda Background Why SUNY Enterprise Risk Management Program?
Approach to Enterprise Risk
Structure of SUNY Enterprise Risk Management Program
High Risk Areas Identified
Enterprise Risk Management Emphasis
Enterprise Risk Management Activities / Outcomes

3. Why Enterprise Risk Management Program?
Background
Why Enterprise Risk Management Program?
State University of New York
Large, complex organization
64 campuses
$13.3B
Highly regulated industry
Many affiliated/campus-related entities
Ongoing strategic initiatives, goals and objectives
High quality reputation/brand
Large volume of students, employees, and visitors
1.3M students served
91,137 employees
Subject to a number of risks

4. Five Types of Risk

5. ERM Categorization of Risk
Two-tiered Approach:
Tier I
Strategic
External
Industry
Tier II
Operational
Financial
Compliance
Reputational Risk

6. ERM Supporting Structure ERM Steering Committee
Advisory Groups
ERM Steering Committee
Campus Based
CCBOA
SUBOA
Compliance Efforts
System Admin Leaders
Hospitals
Risk Managers
Internal Control Officers
Construction Fund
Campus Leadership
Research Foundation

7. ERM Reporting Structure
Board of Trustees
Periodic Reports
Oversight and Approval
Audit Committee of the Board of Trustees
Chancellor & Chancellor's Cabinet
ERM Steering Committee
Co-Chairs Senior Vice Chancellor for Finance and CFO
Senior Vice Chancellor for Leadership and Employee Development
Committee Members
University Controller
University Auditor
Deputy General Counsel
Director of Risk Management and Compliance Officer
Internal Control Officer
Compliance and Risk Management Coordinators
Ethics Officer
Chief Information Security Officer
Associate Provost for Student Affairs
External ERM Consultant

8. ERM Approach MONITOR IDENTIFY MANAGE ASSESS Internal Audits & Control
Evaluations
Subject Matter Experts
ERM Steering Committee
& Consultants
IDENTIFY
ASSESS
MANAGE
MONITOR
Risk Areas
Objectives
Subject Matter Experts
SUNY ERM
Preliminary & In-depth
Risk Assessments
Likelihood & Impact
Existing Controls
Cyber Threats
Randsomware/Cryptolockers
Phishing/Spearing/Whaling
Data/Identity Theft
Denial of Service
Social Engineering
Malware
Password Attacks
Internal Attacks
Management Plans
Policies & Procedures
Internal Controls 12

9. High Risk Areas Succession Planning Cyber/Information Security
Research Compliance
Enrollment Management
Employment Related Human Resources
Healthcare/Hospitals
Government Support
Academic Integrity/Relevance
Facility Conditions and Maintenance
Recruiting/Retaining Top Talent
Athletics
Cyber/Information Security
Campus/Public Safety
Payment Card Industry Compliance
Legal and Regulatory Compliance
Related Entities
International Programs and Study Abroad
Clinical Practice Management Plans
Financial Management Systems and Applications
Environmental Health and Safety
Cyber Threats
Randsomware/Cryptolockers
Phishing/Spearing/Whaling
Data/Identity Theft
Denial of Service
Social Engineering
Malware
Password Attacks
Internal Attacks
Red – Manage/Monitor
Green –Assess
Purple – Identify
Black – Preliminary 12

10. ERM Emphasis
Always keep about this distance between text and the edge of slides and other content.
Building awareness and stress importance of a risk aware culture
SUNY-wide Training Program
Board of Trustees Meetings
System Leadership and Presidents’ Meetings
Defined responsibilities of accountability are critical to success
Effective orientation process for new hires
Continuous training and awareness
Comprehensive policies/procedures – SUNY-wide and campuses

11. ERM Activities / Outcomes
Enhancements and Positive Actions taken for:
Information Security
SUNY Information Security Policy Adopted – September 2016
Campus/Public Safety
State Ops – Full DCJS Accreditation by 2020
Community College assessments ongoing
Payment Card Industry Compliance
Completed calls with select campuses
Issued best practice guidance to campuses
Legal and Regulatory Compliance
Compliance Program Assessment
Completed campus survey
Identified improvement opportunities
Developing a formal compliance program

12. Questions